Exposing hard-coded credentials and sensitive secrets through public code repositories has been a major security risk for organizations for years, with over 10 million new instances of credential leaks detected on GitHub alone in 2022. A new free service called HasMySecretLeaked now allows organizations to securely and privately check if any of their secrets are in a database of 20 million exposed records collected by security firm GitGuardian since 2020.
GitHub already has its own free service that notifies repository owners if secrets are detected in their public repositories, but the types of secrets that are monitored are typically cloud API access keys or other access token formats provided by partners. GitGuardian’s HasMySecretLeaked covers many more types of hard-coded secrets, both service-specific and generic ones, including database passwords, encryption keys, username and password combinations, messaging tokens, SSH credentials, and email passwords.
The company has been scanning every public code commit on GitHub for hard-coded secrets for the past several years, refining its detection algorithms, expanding the list of supported credential formats, and lowering false-positive rates. In 2020 it uncovered 3 million exposed secrets on GitHub, in 2021 it found 6 million, and in 2022 over 10 million.
GitGuardian used its research to release an annual report called The State of Secrets Sprawl as well as to build and enhance its own code security platform that prevents developers and engineers from accidentally leaking secrets in their code, build scripts, Docker images, configuration files and so on.
Search your own repositories vs. searching all
Secret-detection services have generally been built with the goal of serving repository owners. GitHub will notify the repository owner if a secret is detected in a repository they own and will also notify a partner service like AWS if the secret is an AWS key so that Amazon can make the decision to revoke it before it’s abused. GitGuardian’s own security platform will notify the organization if a secret is found anywhere in their software development pipeline: code, Docker images, DevOps environment, etc.
However, HasMySecretLeaked was built with another goal: to let organizations check if any of their known secrets were leaked anywhere on GitHub, including repositories owned by other parties. External leaks are not unusual. For example, one of the company’s developers might decide to publish a piece of code in his own public repository and accidentally forgets to scrub one of the organization’s tokens. Or a company’s developers are allowed to contribute to a community project but forget to remove a private database URL that includes credentials.